[nsp-sec] Headsup Akamai: phishing site; headsup others: possible phishers

John Payne john at sackheads.org
Tue Jul 8 12:06:53 EDT 2008 

On Jul 8, 2008, at 10:22 AM, SURFcert - Peter wrote:

> ----------- nsp-security Confidential --------
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> We have had a report about a phishing site for Wellsfargo. Upon
> investigation we found the site was using information located on what
> seems an Akamai server:
>
> https://a248.e.akamai.net/f/248/1856/90m/www.wellsfargo.com/

https://a248.e.akamai.net/ is a grandfathered-in gross hack for  
customers who don't want full SSL delivery of all their objects but  
also don't want mixed-content warnings.

If you go to www.wellsfargo.com, the little logo at the top is:

https://a248.e.akamai.net/f/248/1856/90m/www.wellsfargo.com/img/hp/ 
logo_62sq.gif

for example.  There is a whitelist of what can be served based upon a  
customer code that's hidden in that URL string.

>
> We don't know if this is a legimite Wellsfargo site but other links to
> Wellsfargo information (images and things like that) used the real
> www.wellsfargo.com URL.
>
> The phishers had also installed a nstview package but that didn't work
> because the scripts in wwgf.php weren't allowed to run from the  
> location
> it was uploaded to.
>
> That scripts was accessed from a number of IP addresses:
>
> AS      | IP               | AS Name
> 9050    | 92.80.161.84     | RTD RTD-ROMTELECOM Autonomous System  
> Number
> 12491   | 81.199.5.32      | IPPLANET-AS IPPlanet
> 14778   | 74.6.17.156      | INKTOMI-LAWSON - Inktomi Corporation
> 12491   | 81.199.5.78      | IPPLANET-AS IPPlanet
> 16422   | 77.220.3.111     | NEWSKIES-NETWORKS - New Skies  
> Networks, Inc.
> 26228   | 64.151.82.172    | SERVEPATH - ServePath, LLC
> 33776   | 41.219.204.206   | STARCOMMS-ASN
> 24900   | 212.112.242.89   | IPX-SERVER IPX Server GmbH
> 6517    | 209.120.218.130  | RELIANCEGLOBALCOM - Reliance Globalcom
> Services, Inc
>
> Timestamps range from 12/Jun/2008:13:47:10 +0200 to 02/Jul/ 
> 2008:21:15:09
> +0200 and can be provided.
>
> - --
> Peter Peters
> SURFcert Officer on Duty
> cert at surfnet.nl                            http://cert.surfnet.nl/
> office-hours: +31 302 305 305    emergency (24/7): +31 622 923 564
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFIc3gbelLo80lrIdIRAofrAJ9MAhgJ342k4xf4L00mB/Gg9J95GgCeOpad
> RBRMxr5/RCtPT1rd0yI4rAY=
> =37Ud
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp- 
> security
> community. Confidentiality is essential for effective Internet  
> security counter-measures.
> _______________________________________________
>

More information about the nsp-security mailing list